Google Professional-Cloud-Network-Engineer Exam With Confidence Using Practice Dumps

To configure Cloud CDN for an application hosted outside of Google Cloud (e.g., in AWS), you need to use an internet network endpoint group (NEG). An internet NEG allows you to point to external endpoints using their FQDN or IP address. Cloud CDN works with external HTTP(S) Load Balancers, and you enable CDN on the backend service associated with the load balancer. A Network Load Balancer (passthrough) does not support Cloud CDN.

Exact Extract:

"To enable Cloud CDN for content hosted outside of Google Cloud, you must use an external HTTP(S) Load Balancer with an internet network endpoint group (NEG)."

"An internet NEG specifies one or more external endpoints that can be reached by an external HTTP(S) Load Balancer. You can specify endpoints using an IP address and port, or a fully qualified domain name (FQDN) and port."

"Cloud CDN is enabled on the backend service of an external HTTP(S) Load Balancer."Reference: Google Cloud CDN Documentation - Caching external content, Internet NEGs overview

The problem description indicates that VMs in VPC2 receive traffic but their replies don't reach VPC1, especially when a VPN gateway fails. This strongly suggests an asymmetric routing issue, where VPC2's routing table might not be aware of all necessary routes to send return traffic to VPC1, particularly in a multi-region setup with failover. By default, VPC networks are in regional dynamic routing mode, meaning they only learn routes from Cloud Routers in the same region. To ensure that routes learned from one region (where the active VPN tunnel might be) are available globally across the VPC, you need to enable global dynamic routing mode in the VPC that is experiencing the return traffic issue (VPC2 in this case). This allows VPC2 to learn and apply routes from Cloud Routers in all regions, ensuring that even if a VPN tunnel fails in one region, the routes learned from the active tunnel in another region are still available for return traffic.

Exact Extract:

"A VPC network's dynamic routing mode controls whether routes learned by Cloud Routers in one region are available to VMs in other regions. By default, VPC networks are in regional dynamic routing mode, which means Cloud Routers in a region only advertise routes to and learn routes from other Cloud Routers in the same region. This can lead to asymmetric routing issues in multi-region deployments."

"To ensure that routes learned from Cloud Routers are propagated to all regions within a VPC network, you must set the dynamic routing mode to global."Reference: Google Cloud VPC Documentation - Dynamic routing mode

For GKE pods that need to egress directly to the internet for most of their communications, the most cost-efficient and straightforward approach is to deploy a GKE cluster with public cluster nodes. Public nodes have external IP addresses, allowing pods to directly reach the internet. This eliminates the need for additional services like Cloud NAT or Secure Web Proxy for outbound internet access, which would incur extra costs and management overhead.

Exact Extract:

"Public clusters have nodes with external IP addresses, allowing them to directly initiate connections to the internet. This is the simplest configuration for clusters that require direct internet egress for their workloads."

"When using public clusters, Cloud NAT is not required for outbound internet connectivity from the nodes or pods, as they can use their external IP addresses. This can reduce operational overhead and cost compared to private clusters that need NAT."Reference: Google Kubernetes Engine Documentation - Cluster network configuration, Public clusters vs Private clusters